At a turning point

Why 2015 is the year of encryption

During a visit to Silicon Valley earlier this month, President Obama described himself as “a strong believer in strong encryption.” Some have criticized the president for equivocating on the issue, but as “strong believers” ourselves, we’ll take him at his word. Obama isn’t alone; everyone is calling for encryption, from activists to engineers, and even government agencies tasked with cybersecurity.

In the past, using encryption to secure files and communication has typically only been possible for technically sophisticated users. It’s taken some time for the tech industry and the open source community to ramp up their efforts to meet the call for widespread, usable encryption, but the pieces are in place for 2015 to be a turning point.

Last fall, [company]Apple[/company] and [company]Google[/company] announced that the newest versions of iOS and Android would encrypt the local storage of mobile devices by default, and 2015 will be the year this change really starts to takes hold. If your phone is running iOS 8 or Android Lollipop 5.0, photos, emails and all the other data stored on your device are automatically secure against rummaging by someone who happens to pick it up. More important, even the companies themselves can’t decrypt these devices, which is vital for protecting against hackers who might otherwise attempt to exploit a back door.

Of course the protection from these updated operating systems relies on user adoption, either by upgrading an old device or buying a new one with the new OS preinstalled. Gigaom readers might be on the leading edge, but not everyone rushes to upgrade. Based on past adoptiontrends, however, a majority of cell phone users will finally be running one of these two operating systems by the end of 2015. As the Supreme Court wrote last year, cell phones are a “pervasive and insistent part of modern life.” The world looks a whole lot different when most of those phones are encrypted by default.

There are two more developments involving encryption which might not make the front page this year, but they’re equally as important as the moves by Apple and Google, if not more so.

First, this month saw the finalization of the HTTP/2 protocol. HTTP/2 is designed to replace the aging Hyper-Text Transfer Protocol (HTTP), which for almost two decades has specified how web browsers and web servers communicate with one another. HTTP/2 brings many modern improvements to a protocol that was designed back when dial-up was king, including compression, multiplexed data transfers, and the ability for servers to preemptively push content to browsers.

Despite this, Mozilla and Google have promised that their browsers will only support encrypted HTTP/2 connections—which means that if website operators want to take advantage of all the performance improvements HTTP/2 has to offer, they’ll have to use encryption to do so or else risk losing a very large portion of their audience. The net result will undoubtedly be vastly more web traffic being encrypted by default.

But as any sysadmin can tell you, setting up a website that supports encryption properly can be a huge hassle. That’s because in order to offer secure connections, websites must have correctly configured “certificates” signed by trusted third parties, or Certificate Authorities. Obtaining a certificate can be complicated and costly, and this is one of the biggest issues standing in the way of default use of HTTPS (and encrypted HTTP/2) by websites.

Fortunately, a new project launching this summer promises to radically lower this overheard. Let’s Encrypt will act as a free Certificate Authority, offering a dramatically sped-up certificate process and putting implementation of HTTPS within the reach of any website operator. (Disclosure: Our employer, the Electronic Frontier Foundation, is a founding partner in Let’s Encrypt.)

Of course there are sure to be other developments in this Year of Encryption. For example, both Google and Yahoo have tantalizingly committed to rolling out end-to-end encryption for their email services, which could be a huge step toward improving the famously terrible usability of email encryption.

Finally, we’d be accused of naiveté if we didn’t acknowledge that despite President Obama’s ostensible support, many high-level law enforcement and national security officials are still calling for a “debate” about the balance between encryption and lawful access. Even putting aside the cold, hard fact that there’s no such thing as a “golden key,” this debate played out in the nineties in favor of strong encryption. We’re confident that in light of the technical strides like the ones we’ve described, calls for backdoored crypto will come to seem increasingly quaint.

Andrew Crocker is an attorney and fellow at the Electronic Frontier Foundation. Follow him on Twitter @AGCrocker.

Jeremy Gillula is a staff technologist at the Electronic Frontier Foundation. Prior to EFF, Jeremy received his doctorate in computer science from Stanford, and a bachelor’s degree from Caltech.

There have been a number of solutions that have come to market in the last couple of years that make email encryption much easier, and totally secure. Waiting for Google to release an add-on that will only work with other Gmail users, and only on Chrome, doesn’t really improve the “famously terrible usability” you describe. For people who need to read or send on mobile devices, or who need to communicate with recipients with accounts at other providers, it will be only marginally better.

“weâ€™ll take him at his word” – words that should never be applied to an American politician. I hope that the tech community can make strong encryption de facto before the government can try to pass laws making it illegal.